Tech giant Apple has rolled out an emergency security update addressing a serious security flaw that researchers said could allow hackers to directly infect iPhones and other Apple devices without any user action.
The flaw, which affects all of the technology giant’s operating systems, lets hackers access devices through the iMessages app, even if the user doesn’t click on a malicious link or file. The exploit, dubbed “FORCEDENTRY” by the cyber security researchers, is known as a “zero-click” attack.
The issue was discovered by researchers at the University of Toronto’s Citizen Lab after they analysed the iPhone of a Saudi activist that had been infected with spyware developed by the world’s most infamous hacker-for-hire firm, Israel’s NSO Group.
Security experts have said that although the discovery is significant, most users of Apple devices should not be overly concerned as such attacks are usually highly targeted.
In a nutshell
The exploit allowed a hacker using NSO’s Pegasus malware to gain access to a device owned by the unnamed Saudi activist by first sending a message through iMessage, the company’s default messaging app, and then hacking through a flaw in how Apple processes images.
Malicious image files were transmitted to the activist’s phone via the iMessage app before it was hacked with NSO’s Pegasus spyware, which exposes a phone to eavesdropping and remote data theft.
Although examples of zero click spyware have been seen before, Citizen Lab researcher Bill Marczak said, “this is the first one where the exploit has been captured so we can find out how it works.”
Apple’s iOS and iPadOS 14.8 updates, as well as a MacOS update released on Monday, patch the FORCEDENTRY flaw, which may have been in use since February, the researchers said. This update is extremely urgent because the security vulnerability is being actively exploited.
To further highlight the seriousness of the security flaw, the tech giant also rolled out the iOS 12.5.2 patch for older devices. This is available for iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3 and the 6th generation iPod Touch.
Ivan Krstic, head of Apple security engineering and architecture, said: “After identifying the vulnerability used by this exploit for iMessage, Apple rapidly developed and deployed a fix in iOS 14.8 to protect our users.
“Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals.”
“While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data,” he added.
NSO Group’s Pegasus was in July linked to phones belonging to dozens of journalists, human rights activists and politicians, according to an investigation by a consortium of newspapers.
Civil rights activists say the software — which requires an Israeli government licence for export because it is viewed as a weapon — can be used for unlawful surveillance, not just by certain governments to target terrorists and criminals.
When it is successfully deployed against a target, Pegasus can silently hack into a phone, collect a user’s personal and private information, intercept calls and messages, and even turn a mobile phone into a remote listening device.
Facebook’s WhatsApp was also allegedly targeted by an NSO zero-click exploit In October 2019, Facebook sued NSO in US federal court for allegedly targeting some 1,400 users of the encrypted messaging service with spyware.
NSO Group has insisted that the spyware is intended to be used to fight terrorism and crime, not to aid in human rights abuses.
How to update your Apple devices
iPhone or iPad: Go to Settings > General, and tap on Software updates. You should download the iOS 14.8 or iPadOS 14.8 packages.
Apple Watch: If your Apple Watch is connected to Wi-Fi, go to the Settings app, and head to General > Software Update. The version number for the new security update is WatchOS 7.6.2.
Macs: On the menu bar, click on the Apple icon, and then click on About this Mac. Select the Software Update option. The security update version number is MacOS 11.6.